Census phishing? Not quite.

Some weeks ago, JPCERT/CC and various news sites in Japan observed an interesting domain apparently targeting a Japanese government site (do not visit, potentially malicious):

 
www. e-kokusei. go. jp. net

Note the ".net" at the end. 

So, what is the presumed target, e-kokusei.go.jp?  It's the site of the first national census conducted electronically in Japan.  As well as a traditional paper form, each census information package also contained a sealed, unique ID number and password that allowed residents to log into the census website.  The census has been completed and the official website has now been closed.


 
Scammers targeting a national census would certainly be a very worrying development.  Is it a phishing site designed to steal all the very private information that goes into a census form?  What was at the suspicious web site?  This:


Source: http://d.hatena.ne.jp/razgriz1/20100929/1285764652

It turns out that whoever has registered jp.net is also allowing wildcard resolution to any subdomain under it.  Type in [anything].jp.net, and it will resolve to one of two IP addresses.
 
As far as anyone can tell, it was an advertising site, apparently registered to a US organisation.  It's difficult to verify what the precise objective of this site was, though there are reports that the various sites linked off to carried fake anti-virus and other undesirable software at some point.

 
Census questions are quite detailed (annual income, address, information on family members etc), which could provide useful profiling information for an attacker.  Although most information points to this site not being specifically targeted at Japan's census, it certainly caused some alarm in Japan.
Back
Top
Next